Skip to content

Latest commit

 

History

History
365 lines (261 loc) · 19.1 KB

2.0 Expand Training.md

File metadata and controls

365 lines (261 loc) · 19.1 KB

2.0 - EXPAND TRAINING

  • Section Lead - Glenn ten Cate
  • Section Team - Christine Abernathy, Randall T. Vasquez, David A. Wheeler, CRob, Eric Tice, Avishay Balter, Riccardo ten Cate, Jeff Wayman
  • Section Meeting Time/Details - 8am EST alternating Thursdays
  • Section Meeting Zoom link
  • Section Meeting Notes

With existing education materials collected, curated, and gap-analyzed in Section 1, the next steps are to begin augmenting existing resources and create new training materials using a "Three Legged Stool" approach. The three legs of the education stool represent different styles of material delivery to learners. The first type are traditional instructor-led or Comptuer Based Training (CBT) style classes/courses. The second learning strategy is hands-on labs and hackathon-style events, where we will use is tactile, and appeals to learners that need to actually performa activities to reeinforce learning. The Last leg of our education stool is what we've termed "Supplemental" or "real-time" learning activities such as documentation, blogs, podcasts, and the like. These allow maximim flexibility for the learner to ingest and make connectsion with at their own pace.

Imperitive to this effort is partnering with a skilled development team to create these hands-on labs and to perform the required integeations with external systems for badging, certications, and testing. Details about this team (who will be supporting the Security Knowledge Framework (SKF) applciation and infrastructure) are listed within the SKF-OPS Appendix.

2.1 Goal: SKF Ops Team

The primary objective of the Security Knowledge Framework (SKF) Operations Team is to ensure that SKF survives the test of time and is freely available for generations of Security learning.

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
G2.1 8 SKF OPS 29- 31 232-248 ➡️ Y1
  • Estimated Total Combined Hours: Y1 232-248 from SKF OPS team
  • Infrastructure costs - $65,000

2.2 Goal: Refactor 'Lab' contribution procedures

We want to make new contributions to the SKF Labs as smoothly as possible but also make sure we have high-quality materials being pushed

Key Steps/Milestones

  • M1: Publish updated 'Lab' and 'Content' contribution procedures
    • Review currently established 'Lab' contribution procedures
    • Refactor 'Lab' contribution procedures into a 'Lab/Write-up Style Guide' document
    • Publish 'Lab/Write-up Style Guide' document

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS 10 80 ➡️ Y1
  • Estimated Total Combined Hours: Y1 80 from SKF OPS team

2.3 Expand current 'Lab' offerings that correlate to the currently indexed Security Knowledge Graph (SKG) 'Standards'

Expand current 'Labs' offerings to complete SKF's coverage with the currently indexed standards (e.g., ASVS & WSTG) in the Security Knowledge Graph (SKG)

In the Security Knowledge Framework (SKF), we define a 'Lab' as an isolated web application environment demonstrating a specific Security vulnerability/concept. Each 'Lab' also details how to exploit and fix the said vulnerability/concept in an accompanying 'Write-up' markdown file. Each 'Write-up' should be authored in accordance with the SKF 'Lab/Write-up Style Guide'.

Key Steps/Milestones

  • M1: Improving the current 'Lab' offering to cover the currently indexed standards (e.g., ASVS & WSTG) in the Security Knowledge Graph (SKG)

    • Python
      • Create [180 Labs] new Python labs
      • correlate new Python 'Labs' to 'Concepts'
    • Java
      • Create [180 Labs] new Java labs
      • correlate new Java 'Labs' to 'Concepts'
    • Nodejs
      • Create [180 Labs] new NodeJS labs
      • correlate new NodeJS 'Labs' to 'Concepts'

  • M2: Create job descriptions for contractors for M3

    • Create a job description for secdev contributor per program language
    • Get feedback on the job description
    • post opening and interview candidates
    • onboard secdev contributors

  • M3: Extending current 'Lab' offerings to include 5 other languages for the currently indexed standards (e.g., ASVS & WSTG) in the Security Knowledge Graph (SKG)

    • Ruby
      • Create [280 Labs] new Ruby labs
      • Correlate new Ruby 'Labs' to 'Concepts'
    • Rust
      • Create [280 Labs] new Rust labs
      • Correlate new Rust 'Labs' to 'Concepts'
    • Go
      • Create [280 Labs] new Go labs
      • Correlate new Go 'Labs' to 'Concepts'
    • DotNet/C#
      • Create [280 Labs] new DotNet/C# labs
      • Correlate new DotNet/C# 'Labs' to 'Concepts'
    • C/C++
      • Create [280 Labs] new C/C++ labs
      • Correlate new C/C++ 'Labs' to 'Concepts'

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS 540 4320 ➡️ Y1
M2 8 SKF OPS 8 64 ➡️ Y1
M3 8 SKF OPS 540 4320 ➡️ Y2
  • Each new 'Lab' is expected to take about ~8 hours to develop.
  • Estimated Total Combined Hours: Y1 SKF OPS 4,384 Y2 SKF OPS 4,320

2.4 Goal: Create new 'Labs' that correlate to OpenSSF's Secure Development Fundamentals course

Create new 'Labs' offerings to complete SKF's coverage with the OpenSSF's Secure Development Fundamentals course in the Security Knowledge Graph (SKG)

In the Security Knowledge Framework (SKF), we define a 'Lab' as an isolated web application environment demonstrating a specific Security vulnerability/concept. Each 'Lab' also details how to exploit and fix the said vulnerability/concept in an accompanying 'Write-up' markdown file. Each 'Write-up' should be authored in accordance with the SKF 'Lab/Write-up Style Guide'.

Key Steps/Milestones

  • M1: Perform gap analysis from the current SKF 'Lab' offering (including the work already performed in 2.3 Goal)

    • Perform gap analysis

  • M2: Create job descriptions for contractors for M3

    • Create a job description for secdev contributor per program language
    • Get feedback on the job description
    • post opening and interview candidates
    • onboard secdev contributors

  • M3: Extending current 'Lab' offerings to include all current programming languages for the OpenSSF's Secure Development Fundamentals course in the Security Knowledge Graph (SKG)

    • Python
      • Create [30 Labs +/- ] new Python labs
      • Correlate new Python 'Labs' to 'Concepts'
    • Java
      • Create [30 Labs +/- ] new Java labs
      • Correlate new Java 'Labs' to 'Concepts'
    • Nodejs
      • Create [30 Labs +/- ] new NodeJS labs
      • Correlate new NodeJS 'Labs' to 'Concepts'
    • Ruby
      • Create [30 Labs +/- ] new Ruby labs
      • Correlate new Ruby 'Labs' to 'Concepts'
    • Rust
      • Create [30 Labs +/- ] new Rust labs
      • Correlate new Rust 'Labs' to 'Concepts'
    • Go
      • Create [30 Labs +/- ] new Go labs
      • Correlate new Go 'Labs' to 'Concepts'
    • DotNet/C#
      • Create [30 Labs +/- ] new DotNet/C# labs
      • Correlate new DotNet/C# 'Labs' to 'Concepts'
    • C/C++
      • Create [30 Labs +/- ] new C/C++ labs
      • Correlate new C/C++ 'Labs' to 'Concepts'

Time & Resource Estimate

YEAR 1

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS 5 40 ➡️ Y1
M2 8 SKF OPS 10 80 ➡️ Y1
M3 8 SKF OPS 8hrs X lab X 100 labs 800 ➡️ Y1

YEAR 2

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M3 8 SKF OPS 8hrs x lab x 140 labs 1120 ➡️ Y2
M4 8 SKF OPS 24 192 ➡️ Y2

The Key Steps/Milestones is an indication and educated guess of the amount of missing 'Labs'. Remark: The number of hours might be less is than we assume.

  • Each new 'Lab' is expected to take about ~8 hours to develop.
  • Estimated Total Combined Hours: Y1 SKF OPS 920 Y2 SKF OPS 1312

2.5 Goal: Update the currently indexed standards (e.g., (m)ASVS & WSTG, PCI-DSS and the course: OpenSSF Security Fundamentals) in the Security Knowledge Graph (SKG) in an automated fashion

We want to facilitate new updates of the materials as smoothly as possible by creating automatic CI/CD actions so they can be consumed into SKF and the SKG component

Key Steps/Milestones

  • M1: Create per standard and/or course an automated action for pulling in updates
    • OpenSSF Security Fundamental Course creates CI/CD ingestion action to SKF & SKG
    • ASVS create CI/CD ingestion action to SKF & SKG
    • WSTG create CI/CD ingestion action to SKF & SKG
    • MASVS create CI/CD ingestion action to SKF & SKG
    • PCI-DSS create CI/CD ingestion action to SKF & SKG

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS 60 480 ➡️ Y1
  • Estimated Total Combined Hours: Y1 SKF OPS 480

2.6 Goal: Create Quizzes & Tests for currently indexed standards (e.g., (m)ASVS & WSTG, PCI-DSS and the course: OpenSSF Security Fundamentals) in the Security Knowledge Graph (SKG)

Currently, SKF doesn't have any quizzes or tests implemented in SKG Database or Web for any of the currently indexed content

(Consider paying special attention to prevent certain users trying to game the system.)

Note: Integration with LFX platform

Key Steps/Milestones

  • M1: Design UI/UX for Quizzes & Tests Area
    • Determine extent of integration possible with LFX platform
    • Prototype the Quizzes & Tests area of the SKG Web on Figma.
  • M2: Implement Quizes & Tests in SKG Database
    • ASVS / WSTG
    • OpenSSF Security Fundamentals

(Some of course, such as the OpenSSF Security Fundamentals, already have pre-existing quizzes/tests that only need to implemented in SKG.)

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS 10 80 ➡️ Y1
M2 4 SKF OPS 20 80 ➡️ Y1
  • Estimated Total Combined Hours: Y1 SKF OPS 160

2.7 Goal: Alternate delivery streams for content

Many traditional channels are available to augment traditional classes and labs such as podcasts, blogs, and webinars. These are generally inexpensive and readily-accessible tools to amplify the awareness of key concepts and techniques

Key Steps/Milestones

  • M1: Establish a job description for an educational content developer.

    • Create a job description for an educational content developer
    • Get feedback on the job description
    • post opening and interview candidates
    • onboard secdev contributors

  • M2: Create a calendar of conferences where our content would be useful to train

    • Identify potential conferences where we want to present the materials and platform
    • Contact conferences and apply for CFP / CFT
    • Create a calendar of selected conferences

  • M3: Creation of training slides

    • Create a "Bootcamp" slide deck for using as delivery method for in-person trainings
    • Deliver two "Bootcamps" at LF-sponsored conferences based on existing Secure Development Fundamentals class

  • M4: Creation of materials for other channels

    • Deliver twelve "thought leadership" secure development blogs
    • Deliver 2 secure development OSSF webinars

  • M5: Identification of the different channels of the delivery of materials

    • Identify and select channels content will be delivered in
    • Create a roadmap for content creation and publication

  • M6: Podcast creation

    • Create a "Secure from the (open) Source" podcast and produce 12 episodes
    • $35k for equipment and software to produce & publish podcast

  • M7: Promotion using LF network

    • Contact LF Marketing for podcasting/webinar/blogging resources
    • Reach out to LF Marketing about opportunities for bootcamps, CTF, speaking

Time & Resource Estimate

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 5 18 90 ➡️ Y1
M2 4 10 40 ➡️ Y1
M3 4 45 180 ➡️ Y1
M4 4 + OSSF Staff 40 160 + 48 OSSF Staff ➡️ Y1
M5 4 10 40 ➡️ Y1
M6 3 + OSSF Staff 4 hours each podcast x 12 144 + 32 OSSF Staff ➡️ Y1
M7 2 10 20 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 674
  • 80 OSSF support hours to facilitate the editing and publication of blogs, webinars, podcasts - annual
  • Y1 - Hire Education Content Developer (1 person x $ 300K): $ 300K
  • Y1 - $35,000 to equip and produce a podcast including graphics and music

2.8 Goal: Develop in-person educator-led variations of training materials and deliver bootcamps at conferences

Modify existing materials and develop a training course that could be delivered at conferences including utilizing hands-on labs

Key Steps/Milestones

  • M1: Gap analysis existing content

    • Review existing content
    • Create new materials for identified gaps or quality improvements

  • M2: Creation of training slides

    • Generate modified class-based slide decks for use as a delivery method class training
    • Generate slide decks for training the trainers so they are knowledgeable and skilled to led the in class-based materials

  • M3: Coordinate with conferences to deliver materials

    • Based on G2.7 M2, generate CFP submissions for desired conferences
    • work with OSSF staff for LF-sponsored events

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 40 320 ➡️ Y1
M2 4 20 80 ➡️ Y1
M3 4 + OSSF Staff 10 40 + 24 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 440
  • 24 OSSF support hours to facilitate conferences

2.9 Goal: Release a RELEASE version for Hack OS for local usage

The SKF Hack OS will also be available for local usage and following the hands-on labs, this will make it easier for educators to consume it in their learning program

Key Steps/Milestones

  • M1: Hack OS Lab improvement for local usage

    • Improve the Hack OS Lab and add preinstalled tools

  • M2: Build an automated build pipeline for supported programing languages

    • Build and release Hack OS Lab for Python
    • Build and release Hack OS Lab for Java
    • Build and release Hack OS Lab for NodeJS
    • Build and release Hack OS Lab for Go
    • Build and release Hack OS Lab for Ruby
    • Build and release Hack OS Lab for Rust
    • Build and release Hack OS Lab for C/C++
    • Build and release Hack OS Lab for DotNet/C#

Time & Resource Estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 4 SKF OPS 60 220 ➡️ Y1
M2 8 SKF OPS 8 Labs (16hr each) 128 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 348 SKF OPS

2.10 Goal: Goal: Identify sources of insecure code snippets - YEAR2

Identify areas where developers are copying or extracting insecure code snippets and work to correct the most widely-applied vulnerable snippets in order to address common problems and challenges, such as those found on StackOverflow. Build on existing research in this area

Key Steps/Milestones

  • M1: Reach out to StackOverflow to see if they have any data on this, open discussions on how to mitigate.
  • M2: CodeQL may be a good integration for this - reach out to a team.

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 8 SKF OPS TBD TBD ➡️ Y2
M2 8 SKF OPS TBD TBD ➡️ Y2

Continue to Section 3 - Reward & Incentive Developers